Conference Schedule

Presentation descriptions below the schedule

If you prefer a plain, black and white page: Plain Schedule

9:45Opening Remarks
Lea Snyder (@_leisures) & Patrick Laverty (@plaverty9)
10:00How to Rob a Bank Over the Phone
Joshua Crumbaugh (@nagasecurity)
An Analysis of the Size and impact of Digital Footprints (25 mins)
Whitney Maxwell (@WhitneyNMaxwell)
10:30Become a Human nMAP! - Cultivating a 'Renaissance Approach' for the Socal Engineer (25 mins)
Tigran Terpandjian (@th3CyF0x)
11:00So You Wanna Be a Social Engineer?
Christopher Hadnagy (@HumanHacker)
Make Vishing Suck Less
Jonathan Stines (@fr4nk3nst1ner)
Sponsored by Brown University School of Professional Studies
Birds of a Feather/HallCon
  • SE education/curriculum development
  • Pre-text Ideas/Stories
  • Physical Bypass Techniques
1:00Panel: Social Engineering CTF Champions!
Moderator: Christopher Hadnagy (@HumanHacker)
Panelist: Chris Kirsch (@Chris_Kirsch)
Panelist: Whitney Maxwell (@WhitneyNMaxwell)
Panelist: Joe Gray (@C_3PJoe)
2:00Social Engineer Your Way to an Infosec Career
Paul Asadoorian (@SecurityWeekly)
A Proven Methodology for Open-Source Intelligence Gathering and Social Engineering
Emilie St. Pierre (@L4bf0x) and Robby Stewart (@RizzyRong)
3:00Human Pentest
Summer Lee (@Crazian)
Social Engineering Class Project for Undergraduate Students in Multiple Disciplines
Dr. Aunshul Rege (@Prof_Rege)
4:00Social Engineering at Work - How to Use Positive Influence to Gain Management Buy-in for Anything
April C. Wright (@AprilWright)
Trape: The Evolution of Phishing Attacks (Internet People Rsearch)
Jose Pino (@jofpin) and Jhonathan Espinosa (@st4nn)
5:00Closing Remarks, Raffle Giveaway, Big thank you!
5:30Post-Conference Networking: "The Landing", Bowen's Wharf, Parking available near Newport Marriott


How to Rob a Bank Over The Phone
By Joshua Crumbaugh (@nagasecurity)
This talk will be 50% real audio from a social engineering engagement and 50% lessons learned from the call. During this call I talk a VP at a bank into giving us full access to his computer as well as facilities. At one point during the call, the AV triggers (thanks to a junior submitting the payload to virustotal :)). This is an intense call with a ton of valuable lessons for any social engineer or defender looking to learn how to identify attacks.

An Analysis of the Size and Impact of Digital Footprints
By Whitney Maxwell (@WhitneyNMaxwell)
Personal information available online is known as a digital footprint. While many have a digital footprint, few if any, know what it encapsulates or how to control it. Technology and personal information are becoming more intertwined as technology becomes more integrated with everyday activities. Personal information can be defined as details that apply to a person such as race or shopping habits. Shopping habits are considered personal information by many corporations who spend money to track, or even predict purchases of individuals, whereas more traditional forms of personal information are details like gender, birthdate, and home town. With a wide breadth of personal information available, not all of it is equally valuable or personally unique. This project is dedicated to determining the content and size of a digital footprint, and assessing its impact for an individual by defining the discoverability of that content.

Become a Human nMAP! - Cultivating a 'Renaissance Approach' for the Socal Engineer
By Tigran Terpandjian (@th3CyF0x)
As a security analyst with an atypical entry into the information security world, one of my research questions posed in social engineering is why reading a diverse array of topics is beneficial to the social engineer, be it something they are passionate about or not. In building upon Defcon 24's presentation at the Social Engineering Village by Tomohisa Ishikawa: "Does Cultural Differences become a barrier for social engineering?" cultural differences presented by different countries place emphasis on different genres; therefore, what one person from a certain country holds dear, the other may not. Therefore, your reconnaissance, pretexts and elicitations and the support required must be able to adapt. I have found this to be true. Reading/Watching/Listening like a 'Renaissance individual (knowledgeable on a variety of topics but not limited to select ones) ameliorates this challenge. The answer came from a combination of attending the Advanced Practical Social Engineering course in 2016 and a self-reflection; all the reading I loved and hated as a child and as an adult has given me an extensive web to build rapport through as a social engineer and improve my elicitation to procure more information . In my talk, I would like to discuss how to develop a strategy and which areas to focus on so you would be available to navigate even through the 'darkest of waters' and the 'coldest of individuals' and get information you would need. This talk is a combination on the topics of Social Engineering and Reconnaissance

"So You Wanna Be an SE? - Breaking Into the Field"
By Chris Hadnagy (@HumanHacker)
Description TBA

Make Vishing Suck Less
By Jonathan Stines (@fr4nk3nst1ner)
The purpose of this talk is to describe methodologies which one could follow when performing telephone pretexting. Social dynamics have changed over the years causing the entry barrier to being successful with Vishing more difficult and talking on the telephone less comfortable. The aim of this speech will be to crack the code for a newb getting started so he or she can hit the ground running, jump on the horn, and start pwning some folks like it's 1989.

Lunch is graciously sponsored by Brown University's School of Professional Studies

Panel: Social Engineering CTF Champions!
A panel with Social Engineering CTF champions from DefCon and DerbyCon! Hear how they did it, what was their strategy, and tips they can give for others for getting into the soundproof booth! This panel features:

Social Engineering Your Way To An Infosec Career
By Paul Asadoorian (@SecurityWeekly)
Want a fantastic career in Infosec? Maybe you want to be the next security startup founder? Having goals is good, but the question becomes "How do I get there?" Social engineering on the surface, may not sound like a good tactic to having an amazing career or creating a startup company, but it certainly helps. There are many social engineering strategies I've learned in recent years that apply directly to your career. Technical proficiency is but one aspect of your infosec career. Communication, teamwork, sales, marketing and other so-called "soft skills" are equally as important. And guess what? Many of those activities become easier by applying social engineering research. In the past few years I've been on numerous sales calls (with mixed success), presented at conferences, rejected by some conferences, successfully pulled off webcasts, failed at some webcasts, and the list goes on. In this presentation, I will share with you the techniques and tactics I've learned that helped my infosec career and business. I have built these skills by interviewing people, working with a diverse set of people, reading books, and lessons learned from failures. So come and learn from my mistakes and social engineer your way to a great infosec career!

A Proven Methodology for Open-Source Intelligence Gathering and Social Engineering
By Robert Stewart (@RizzyRong) and Emilie St. Pierre (@L4bf0x)
We are Emilie St-Pierre and Robby Stewart, and have extensive experience with all types of social engineering engagements, from physical to electronic and have presented on the subject in the past.
We are working to develop a methodology for Open-Source Intelligence (OSINT) Gathering, and templates for Electronic Social Engineering (ESE) engagements. By gathering data from past Rapid7 ESE engagements we're able to compile the following data points.

  1. Target names
  2. E-mails
  3. Phone numbers
  4. Titles/Job positions
  5. Externally-available technology (portals, VPN, Citrix, OWA, O365)
  6. Third party affiliations (courier, insurance, vendor, etc. (anything used to masquerade as 3rd party)
  7. Metadata
With these data points, we are able to answer the following questions as it pertains to ESE engagements that Rapid7 has performed.
We will be presenting our findings and we will be releasing the methodology that we've developed as a guild for others interested in gathering OSINT leading up to an engagement.

Human Pentest
By Summer Lee (@Crazian)
The mantra of any good red teamer is, "hope for the best, but plan for the worst." In this talk, I will cover tactics and approaches that can be leveraged to achieve client goals and successfully provide value even when going in cold. Various stories will be used to provide examples of merging social engineering with physical and logical access during physical red team assessments to ultimately achieve success. This talk will start off with covering the planning process for three different scenarios: brute force, insider attack, and planned attack. Next, I will review "needed" vs. "would be nice to have" tools (for achieving both physical and logical access as well as persistence) and the prep work once a methodology has been agreed upon with the client. They will then go into tips on what a red teamer should know and do while conducting the assessment such as identifying cameras, sweeping the office before sitting at a computer, and preparing hiding areas for nighttime patrols. The talk will also cover more in-depth tactics such as tips for achieving logical access as well as what to focus on once you obtain domain administrator or other high-level privileges within the network. Finally, it will cover worst-case-scenarios and tips for moving forward with an assessment when nearly all hope of reaching the final objective is lost.

Social engineering class project for undergraduate students in multiple disciplines
By Aunshul Rege (@prof_rege)
This talk shares an educator's attempt to involve undergraduate students across multiple disciplines in experiential learning (EL) class projects on social engineering. Specifically, it focuses on three sub-projects that were implemented in the Spring 2018 semester: (i) shoulder surfing where student teams competed against each other, (ii) laptop distraction, where student teams attempted to convince Temple University Computer Services employees to leave their laptops (designed for the class exercise) so that the students could remove a bogus 'intellectual property' file and place a fake 'malware' program on the employees' machines, and (iii) convince individuals on Temple University campus to take a selfie with team members and a funny prop. Through each of these activities, students learn about social engineering tactics and self awareness.
The talk uses the cyclical EL model and its five stages: Experience; Share; Process; Generalize; and Apply to illustrate how students engage in these projects. It highlights several benefits, such as fostering multidisciplinary dialog, developing qualitative research skills, understanding adversarial mindsets, and appreciating the non-technical aspects of cyberattacks. This talk uses students' and the educator's reflections as a narrative to discuss ongoing efforts, struggles, challenges, and lessons learned.

Social Engineering At Work - How to use positive influence to gain management buy-in for anything
By April Wright (@aprilwright)
Do you understand how to navigate office politics and regularly get what you want and need to make your security efforts take off and be successful? Are there projects or programs you want to institute, but have trouble getting started or knowing how to get people on-board? Most of us understand how SE can be used to test for human vulnerabilities, but socializing at work may give us a yucky feeling. However, if you really want to learn how to get buy-in for your ideas or projects and get what you want, you need to be able to navigate the social system at work and exert indirect influence. It is possible to study and reverse the "dark arts" of SE to actually achieve positive goals; SE principles are used every day by savvy business people to make things happen, even if they don't realize that they're using them. Let's define ways even the most introverted person can play the corporate game in a non-malicious non-manipulative way. Then, we can use this knowledge within our organizations to improve our security posture, "sell" security to stakeholders, and lessen risk. Learn how to utilize the tools of SE "for good" so that we can better serve our infrastructures and customers.

Trape: the evolution of phishing attacks (Internet people research)
By Jose Pino (@jofpin) and Jhonathan Espinosa (@st4nn)
Trape is a recognition tool that allows you to track people and make phishing attacks in real time, the information you can get is very detailed. Objective is to teach the world through this, how the big Internet companies could monitoring you, getting information beyond your IP, such as the sessions of your sites or Internet services.